Changes have been made to the WebSphere MQ queue manager to disallow by default the configuration of CipherSpecs that use cryptographic algorithms or protocols that are now considered to be weak:

RC4_SHA_US

RC4_MD5_US

TRIPLE_DES_SHA_US

DES_SHA_EXPORT1024

RC4_56_SHA_EXPORT1024

RC4_MD5_EXPORT

RC2_MD5_EXPORT

DES_SHA_EXPORT

TLS_RSA_WITH_DES_CBC_SHA

NULL_SHA

NULL_MD5

FIPS_WITH_DES_CBC_SHA

FIPS_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_NULL_SHA256

These deprecated CipherSpecs are by default no longer permitted on MQ channel definitions. Attempting to use these CipherSpecs returns the following message: AMQ9635: Channel did not specify a valid CipherSpec.

You can re-enable the deprecated CipherSpecs within the SSL stanza of the qm.ini file as follows:

SSL:
AllowWeakCipherSpec=Yes

You can also re-enable the deprecated CipherSpecs by setting or exporting to “Yes” the environment variable AMQ_SSL_WEAK_CIPHER_ENABLE.

This variable should be set or exported within the environment used to start the queue manager.

Defining this variable enables the deprecated CipherSpecs regardless of the
value specified in the qm.ini file.